Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(mes): add example of disabling traffic to MeshExternalService on Mesh #2126

Merged
merged 3 commits into from
Dec 20, 2024
Merged

feat(mes): add example of disabling traffic to MeshExternalService on Mesh #2126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
289ed19
feat(mes): add example of disabling traffic to MeshExternalService on…
Automaat Dec 19, 2024
481b3eb
feat(mes): fix vale
Automaat Dec 20, 2024
1554c90
feat(mes): fix vale
Automaat Dec 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/styles/config/vocabularies/Base/accept.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ MADR
md
minikube
Maglev
MeshExternalService
MeshGateway
matchers
Mockbin
Expand Down
36 changes: 33 additions & 3 deletions app/_src/networking/meshexternalservice.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,14 @@ The `MeshExternalService` resource allows you to declare external resources inst
{% tip %}
What is the difference between `MeshPassthrough` and `MeshExternalService`?

The main difference is that `MeshExternalService` is assigned a custom domain and can be targeted by policies. `MeshPassthrough`, on the other hand, does not alter the address of the original host and cannot be targeted by policies.
The main difference is that `MeshExternalService` assigns a custom domain and can be targeted by policies.
`MeshPassthrough` does not alter the address of the original host and cannot be targeted by policies.
{% endtip %}

{% warning %}
Currently `MeshExternalService` resource only supports targeting by [MeshTrafficPermission](/docs/{{ page.release }}/policies/meshtrafficpermission) with [Zone Egress](/docs/{{ page.release }}/production/cp-deployment/zoneegress).
This limitation will be lifted in the next release.
Currently you can not configure granular [MeshTrafficPermission](/docs/{{ page.release }}/policies/meshtrafficpermission) for MeshExternalService.
You can only enable or disable whole traffic to MeshExternalService from Mesh by [Mesh resource configuration](/docs/{{ page.release }}/production/mesh/).
More on this in [Controlling MeshExternalService access from Mesh](/docs/{{ page.release }}/networking/meshexternalservice/#controlling-meshexternalservice-access-from-mesh) section.
{% endwarning %}

## Configuration
Expand Down Expand Up @@ -142,6 +144,34 @@ networking:
port: 9901"
```

### Controlling MeshExternalService access from Mesh

At this moment you cannot configure [MeshTrafficPermission](/docs/{{ page.release }}/policies/meshtrafficpermission) for
MeshExternalService. But you can configure access to all external services on Mesh level. For example, you can disable
outgoing traffic to all MeshExternalServices:

{% tabs usage useUrlFragment=false %}
{% tab usage Kubernetes %}
```yaml
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
routing:
defaultForbidMeshExternalServiceAccess: true
```
{% endtab %}
{% tab usage Universal %}
```yaml
type: Mesh
name: default
routing:
defaultForbidMeshExternalServiceAccess: true
```
{% endtab %}
{% endtabs %}

## Examples

TCP examples use https://tcpbin.com/ service which is a TCP echo service, check out the website for more details.
Expand Down
Loading